hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Xiaoyu Yao (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-14987) Improve KMSClientProvider log around delegation token checking
Date Wed, 01 Nov 2017 18:19:00 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-14987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16234513#comment-16234513

Xiaoyu Yao commented on HADOOP-14987:

bq. logAllUserInfo(UserGroupInformation ugi) could use an annotation too
Will this make the change incompatible? That's my major concern of not changing it.

bq. sorry I wasn't clear. I was thinking of just setting fallbackDefaultPort on KMSCP directly
in the unit tests so we don't need configs. My point is, if this is purely for testing, let's
make it as obviously as possible.

Inside KMSClientProvdier constructor, I don't find easy way to tweak the kmsPort setting to
accommodate the two test cases in TestLoadBalancingKMSClientProvider(testCreation and testClassCastException).
1. mockito does not work with URL, which is a final class from JDK
2. We could add this as additional parameter  (fallbackDefaultPort) to the constructor or
some static variable in the Factory class. But this would cause more code churns without bringing
much useful functionality. The test code does not always use the Factory class to create the
KMSClientProvider, which requires special handling in both the constructor and the Factory.

Please elaborate on how to set fallbackDefaultPort on KMSCP directly for the test.

> Improve KMSClientProvider log around delegation token checking
> --------------------------------------------------------------
>                 Key: HADOOP-14987
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14987
>             Project: Hadoop Common
>          Issue Type: Improvement
>    Affects Versions: 2.7.3
>            Reporter: Xiaoyu Yao
>            Assignee: Xiaoyu Yao
>            Priority: Major
>         Attachments: HADOOP-14987.001.patch, HADOOP-14987.002.patch, HADOOP-14987.003.patch,
> KMSClientProvider#containsKmsDt uses SecurityUtil.buildTokenService(addr) to build the
key to look for KMS-DT from the UGI's token map. The token lookup key here varies depending
 on the KMSClientProvider's configuration value for hadoop.security.token.service.use_ip.
In certain cases, the token obtained with non-matching hadoop.security.token.service.use_ip
setting will not be recognized by KMSClientProvider. This ticket is opened to improve logs
for troubleshooting KMS delegation token related issues like this.  

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org

View raw message